You may see the phrase "penetration test" used interchangeably with the phrase "computer security audit". They are not the same thing. A penetration test (also known as a pen-test) is a very narrowly focused attempt to look for security holes in a critical resource, such as a firewall or Web server. Penetration testers may only be looking at one service on a network resource. They usually operate from outside the firewall with minimal inside information in order to more realistically simulate the means by which a hacker would attack the site.

On the other hand, a computer security audit is a systematic, measurable technical assessment of how the organization's security policy is employed at a specific site. Computer security auditors work with the full knowledge of the organization, at times with considerable inside information, in order to understand the resources to be audited.

Security audits do not take place in a vacuum; they are part of the on-going process of defining and maintaining effective security policies. This is not just a conference room activity. It involves everyone who uses any computer resources throughout the organization. Given the dynamic nature of computer configurations and information storage, some managers may wonder if there is truly any way to check the security ledgers, so to speak. Security audits provide such a tool, a fair and measurable way to examine how secure a site really is.

Computer security auditors perform their work though personal interviews, vulnerability scans, examination of operating system settings, analyses of network shares, and historical data. They are concerned primarily with how security policies - the foundation of any effective organizational security strategy - are actually used. There are a number of key questions that security audits should attempt to answer:

• Are passwords difficult to crack?
• Are there access control lists (ACLs) in place on network devices to control who has access to shared data?
• Are there audit logs to record who accesses data?
• Are the audit logs reviewed?
• Are the security settings for operating systems in accordance with accepted industry security practices?
• Have all unnecessary applications and computer services been eliminated for each system?
• Are these operating systems and commercial applications patched to current levels?
• How is backup media stored? Who has access to it? Is it up-to-date?
• Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan?
• Are there adequate cryptographic tools in place to govern data encryption, and have these tools been properly configured?
• Have custom-built applications been written with security in mind?
• How have these custom applications been tested for security flaws?
• How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?

These are just a few of the kind of questions that can and should be assessed in a security audit. In answering these questions honestly and rigorously, an organization can realistically assess how secure its vital information is.


Web Application Security

Web application security is one of the aspects most at risk from the adoption of web-based technologies for conducting business online. While web applications have enabled organizations to connect seamlessly with suppliers, customers and other stakeholders; web application vulnerabilities have also exposed a multitude of previously unknown security risks.

If web application security is not taken care of, meaning that web application vulnerability is allowed to happen, then not only your entire database of sensitive information is at serious risk, but your website can become the launch site of criminal activities such as hosting phishing sites or used to transfer illegal content.

Some hackers take advantage of this lack of web application security from web application vulnerabilities such as SQL Injection or Cross-Site Scripting and may maliciously inject code within vulnerable web applications to trick users and redirect them towards phishing sites.

Recent research shows that 75% of cyber attacks are done at web application level. Hence ensuring web application security is crucial.

• Firewalls and SSL provide no web application security nor protection against web application hacking, simply because access to the website has to be made public – ports 80 and 443 must remain open to allow the web application retrieve, deliver and update the data residing within the database servers
• Web applications often have direct access to backend data such as customer databases and, hence, control valuable data and are much more difficult to secure
• Most web applications are custom-made and, therefore, involve a lesser degree of testing than off-the-shelf software. Consequently, custom applications are more susceptible to attack 

Article source: http://www.symantec.com/connect/articles/conducting-security-audit-introductory-overview
Article source: http://www.acunetix.com/websitesecurity/webapp-security.htm